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About this guide 


Welcome to Qualys Cloud Platform and security scanning in the Cloud! We'll help you get 
acquainted with the Qualys solutions for scanning your Cloud IT infrastructure by using 
the Qualys Cloud Security Platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/ 
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Introduction 


Welcome to Qualys Cloud Platform that brings you solutions for securing your Cloud IT 
Infrastructure as well as your traditional IT infrastructure. In this guide, let's talk about 
securing your Google Cloud Platform infrastructure by using Qualys Cloud Platform. 


Qualys Cloud Platform 


As a unified architecture that powers more than 15 Qualys security and compliance Cloud 
Apps, the Qualys Cloud Platform offers you a streamlined solution for avoiding the cost 
and complexities of managing multiple security vendors. By automatically gathering and 
analyzing security and compliance data from IT assets anywhere in one single-pane view, 
the Qualys Cloud Platform gives you the scalability, visibility, accuracy, and breadth of 
capabilities to fight cyber-attacks and build security into your digital transformation 
initiatives. 

If you're new to Qualys, we recommend you visit the Qualys Cloud Platform web page to 
know more about our cloud platform. 
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Qualys Integration with Google Cloud Security Command Center: 
Overview 


You can now integrate Qualys Cloud Platform with the Cloud Security Command Center 
(Cloud SCC) for Google Cloud Platform (GCP), a security and data risk platform helping 
enterprises to gather data, identify threats, and act on them before they result in business 
damage or loss. 


Cloud SCC provides security teams a single pane for security features, policies, and 
insights across GCP. Qualys’ integration expands on existing data within the Cloud SCC by 
adding vulnerability management and threat data for compute engine instances within a 
GCP project. 
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This capability gives customers visibility of Qualys data within Cloud SCC and allows 
DevOps and security teams to protect their workloads by gaining full visibility of 
vulnerability and threat posture at a glance. Users can further drill-down to find details 
and actionable intelligence for every identified vulnerability and can navigate with a 
single-click back to their Qualys subscription for additional reports and threat 
intelligence. 


Customers can gain access to Qualys-generated vulnerability and threat posture data 
within Cloud SCC by deploying Qualys’ lightweight Cloud Agents on workload images. This 
step either bakes the agent within the image or automatically deploys the agent on the 
compute engine instance. 


Prerequisites 


For the Qualys Integration with Google Cloud Security Command Center, the following 
options must be enabled for your Qualys subscription. 


Active Qualys subscription: 


To leverage the Qualys data collection, evaluation, and reporting capabilities for your GCP 
VM instances, you must first have an active Qualys subscription. For more details, contact 
Qualys Support or sign up for a free trial. 


Qualys Applications: 


-You must have the Qualys Vulnerability Management (VM/VMDR) and Qualys Cloud 
Agent modules enabled in your subscription. 


-Cloud Agents must be installed on your GCP VM instances. For more information, see 
Deploying Qualys Cloud Agent from Google Cloud Console. 


-As an alternative to Cloud Agent, you can add Virtual Scanner Appliances and configure 
them for your GCP instances. GCP VM instance must be able to reach the Qualys Cloud 
Platform over the HTTPS port 443. You will also need a scanner personalization code (14 
digits) which is used to deploy the Virtual Scanner Appliance. For every new virtual 
scanner appliance, you must generate a new personalization code. For more information, 
see Deploying Virtual Scanner Appliance in Google Compute Engine (GCP). 


Roles: 


-You must have the Manager or the Unit Manager role in your Qualys subscription. 


-You must have the following Cloud Identity and Access Management (Cloud IAM) roles to 
set up Security Command Center in Google cloud console: 


Organization Admin (roles/resourcemanager.organizationAdmin) 
Security Center Admin (roles/securitycenter.admin) 

Security Center Settings Admin (roles/securitycenter.settingsAdmin) 
Security Admin (roles/iam.securityAdmin) 


Service Account Creator (roles/iam.serviceAccountCreator) 
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To learn more, see Security Command Center roles. 


Google Cloud Security Command Center (SCC): 


Security Command Center must be enabled for your organization. For more details, see 
Quickstarts for Security Command Center. 


Security Command Center API: 


You must enable the Security Command Center APIs for the selected project. To know 
more, see Enable and disable Google APIs. 


GCP Metadata 


The following cloud provider metadata is provided by Qualys Cloud Agent and Qualys 
Virtual Scanner Appliance. 


Metadata provided by Qualys Cloud Agent 


General: 
- Instance ID 


= Host Name 

- Machine Type 

= ZONE 

- Project Number 


- Project ID 


Network: 
- Private IP Address 


- MAC Address 
- VPC Network 
- Public IP Address 


- Network Interfaces 


Metadata provided by Qualys Virtual Scanner Appliance 
QID-45465 Google Cloud Platform (GCP) Linux Instance Metadata: 


- CPU-platform 
- Description 
- Hostname 


- ID 
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- Image 

- Machine-type 

- Maintenance-event 
- Name 

- Tags 

- Zone 


Read more about Dynamic Tagging by Using GCP Metadata. 
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Scanning in GCP Environments 


In this section, let's take a look at some common use cases for scanning a GCP 
environment. 


Networking Basics 


To start with, let's get familiar with a few terms in networking basics. 


VPC networks 


A Virtual Private Cloud (VPC) network provides networking functionality for Google 
Compute Engine Virtual Machine (VM ) instances. This pretty much resembles a 
traditional network in your own data center, except that it is virtualized within Google 
cloud. Without a VPC Network, you cannot create VM instances. It is a global resource; but 
an organization may want to separate their deployment environments, and so, they create 
VPCs for isolation purposes. 


VPC Peering 


This is a networking connection between two VPCs that enables you to connect VM 
instances hosted in separate VPC networks and route traffic between them. 


Subnets 


These are one or more useful IP range partitions in each VPC network. It is a regional 
resource. 


To understand the scanning procedure, see Scanning Assets. 


Use Cases for Scanning GCP environment 


The following are a few common use cases for scanning a GCP environment. You must 
configure your virtual scanner appliances to communicate to Qualys Cloud Platform over 
HTTPS (via firewall rules and proper routing). 


- Single scanner to scan multiple instances in a VPC in a single region 
- Multiple scanners to scan multiple instances in a VPC in a single region 
- Single scanner to scan multiple instances across subnets in different regions in a VPC 


- Multiple scanners to scan multiple instances across subnets in different regions in a 
VEG 


- Single scanner to scan multiple instances across subnets in different regions across 
peered VPCs 


- Multiple scanners to scan multiple instances across subnets in different regions across 
peered VPCs 


- Scanner cannot scan instances in non-peered VPC 
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- Scanner cannot scan instances in VPCs with overlapping IP address 


Single scanner to scan multiple instances in a VPC in a single region 


A single Qualys scanner appliance can be configured to scan multiple GCP VM instances 
running in a single VPC in a single region. 
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Multiple scanners to scan multiple instances in a VPC in a single region 


Based on the number of VM instances and scan frequency, multiple scanners might be 
required to scan multiple VM Instances in a subnet in a VPC. You can add more scanners 
based on requirements. 
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Single scanner to scan multiple instances across subnets in different regions in a VPC 


A single scanner can reach multiple VM instances across different subnetworks in 
different regions within a single VPC. 
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Multiple scanners to scan multiple instances across subnets in different regions in a 
VPC 


Based on the number of VM instances and scan frequency, multiple scanners might be 
required to scan multiple VM instances across subnets in different regions in a VPC. You 


can add more scanners based on requirements. 


Google Cloud Platform 
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Single scanner to scan multiple instances across subnets in different regions across 
peered VPCs 


A single scanner can reach multiple VM instances in different regions and subnets in a 
peered VPC. 


| 
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Multiple scanners to scan multiple instances across subnets in different regions across 
peered VPCs 


Based on the number of machines and scan frequency, multiple scanners might be 
required to scan multiple VM instances across peered VPCs in different regions. 
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Scanner cannot scan instances in non-peered VPC 


Scanner's reachability is curtailed if the VPCs are not peered. In non-peered VPCs, 
scanners cannot reach the VM instances to launch a scan. 
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Scanner cannot scan instances in VPCs with overlapping IP address 


© Google Cloud Platform 
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A single scanner cannot scan VM instances in VPCs with overlapping IP addresses due to 
reachability issues. Add more scanner appliances based on your requirements to allow 
scanning across VPC boundaries. 


In case of regions displayed in the sample screenshot, VPC peering cannot be configured 
between VPC-A and VPC-B. So, in this case, scanner in VPC-A cannot reach VM instances 
in VPC-B as VPC-A and VPC-B have one overlapping IP Address (10.20.0.0/20). 


To understand the scanning procedure, see Scanning Assets. 
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Deploying Sensors 


Qualys sensors, a core service of the Qualys Cloud Platform, make it easy to extend your 
security throughout your global enterprise. These sensors are remotely deployable, 
centrally managed and self-updating. They collect the data and automatically beam it up 
to the Qualys Cloud Platform, which has the computing power to continuously analyze 
and correlate the information in order to help you identify threats and eliminate 
vulnerabilities. 


Prior to scanning, you need to deploy sensors. Depending on your preference, you can 
deploy a virtual scanner appliance or a Qualys Cloud Agent. Let's go through the steps 
involved in deploying these sensors. 


-Deploying Virtual Scanner Appliance in Google Compute Engine (GCP) 
-Deploying Qualys Cloud Agent from Google Cloud Console 


Deploying Virtual Scanner Appliance in Google Compute Engine 
(GCP) 


You can scan your Google Cloud Compute Engine instances along with all other global 
elastic cloud and on-premise assets from within the Qualys Cloud Platform. Qualys 
Virtual Scanner Appliance can be directly deployed from the Google Marketplace. 


Scanner deployment involves configuration in Qualys Cloud Platform as well as GCP. 
Before we know the steps to deploy a virtual scanner, let's understand the licensing/cost 
aspect and the deployment recommendations. 

Cost and Licenses 


Qualys Virtual Scanner Apphance is available as an image at Google Cloud Marketplace, 
ready for customers to launch onto GCP Virtual Machines. There are two aspects to 
consider: 


-Qualys costs for the virtual scanner license subscription. 
-GCP costs for the computing resources to run the appliance as a virtual machine. 


Note: Ensure that you use the image available at Google Cloud Marketplace or the Signed 
URL provided by Qualys for downloadable GCP-specific images. Using images downloaded 
from Qualys UI are not recommended to be used on GCP. 


Qualys Cost 


You need to acquire a Qualys license for each virtual scanner appliance instance that you 
would like to run. This license is acquired from Qualys, not from GCP, and our scanner 
appliances are listed at Google Cloud Marketplace with a Bring Your Own License (BYOL) 
model accordingly. Each Qualys Virtual Scanner Appliance profile that you define in the 
Qualys Cloud Platform UI will consume a single virtual scanner appliance license. If you 
delete a virtual scanner appliance profile from your Qualys subscription, that license is 
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freed up and immediately available for re-use. However, the personalization code that you 
generate to register a scanner appliance can be used only once. For every new virtual 
scanner appliance, you must generate a new personalization code. 


Contact your Qualys technical account manager or Qualys reseller for a pricing quotation 
or to request evaluation. 


GCP Cost 


For each virtual scanner appliance, virtual machine is launched into one of your own GCP 
accounts. You are responsible for paying Google for the costs of running the appliance. 
Those costs include: 


- Compute Capacity based upon size 
- Storage 
- Data transfer IN/OUT 


The compute capacity charges (1.e., CPU, RAM) are overwhelmingly the largest part of the 
costs to run an Instance. Note that you may not need to keep your scanner appliances 
running at all times. Any hours during which your virtual machine is stopped, only per- 
GB-provisioned storage charges are incurred. For those able to spend a little more upfront, 
GCP virtual machines can be reserved by financially committing for one or three years to 
save. However, scanners should be turned on for at least several hours per week in order 
to ensure that they stay up to date with software and signatures. 


Deployment Recommendations for Scanner 


Following are some recommendations from Qualys for deploying scanners based on the 
network topology and the size of the GCP instance for hosting the scanner appliance. 


Instance Snapshots or Cloning Not Allowed 


Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly 
prohibited. The new instance does not function as a scanner. All configuration settings 
and platform registration information will be lost. This could also lead to scans failing and 
errors for the original scanner. 


Moving or Exporting Instance Not Allowed 


Moving or exporting a registered scanner instance from a virtualization platform (HyperV, 
VMware, XenServer) in any file format to the Google Cloud Platform is strictly prohibited. 
This breaks scanner functionality and the scanner permanently loses all its settings. 


Virtual Machine Size for Hosting the Scanner 


The default sizing for a Qualys Virtual Scanner Appliance is 2 vCPU and 7.5 GB memory 
and can be customized. The maximum supported limit by Qualys is 16 CPUs and 16 GB 
RAM. Based on the frequency of scanning, and the number of GCP Virtual machines that 
are being scanned, you can scale up to machine t16 CPUs and 16 GB RAM. For 
customization, choose core to memory in the ratio of 1:3.5. 
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What Do | Need? 


The Virtual Scanner option must be turned on for your account. Contact Qualys Support 
or your Technical Account Manager if you would like us to turn on this option for you. 


You must be a Manager or a sub-user with the "Manage virtual scanner appliances" 
permission. This permission may be granted to Unit Managers. Your subscription may be 
configured to allow this permission to be granted to Scanners. 


What Is Not Supported? 


The following features are not supported and are disabled in all cloud (private and public) 
platforms: 


- WAN/Split network SETTINGS - "WAN Interface" option for split network settings is not 
available from Scanner UI/console. Only LAN/single network settings from Cloud UI, used 
for both scanning and connecting to Qualys servers, are supported. 


- NATIVE VLAN - "VLAN on LAN" option for configuring Native VLAN is not available from 
scanner Ul/console. 


- STATIC VLAN (IPV4 AND IPV6) - "VLANs" option for configuring static VLANs is not 
available from Qualys UI. 


- STATIC ROUTES (IPV4 AND IPV6) - Option to configure "Static Routes" is not available 
from Qualys UI. 


- IPV6 ON LAN - Option to configure "IPv6 on LAN" is not available from Qualys UI. 


Generating a Personalization Code 


Get a personalization code from your Qualys Cloud Platform subscription to register every 
new appliance instance. To get the code, do the following: 


1. Log in to the Qualys UI. 


2. From the module picker in the left, choose Vulnerability Management or Policy 
Compliance, depending on your scanning needs. 


3. Go to Scans > Appliances and select New > Virtual Scanner Appliance. 


© Qualys. Enterprise 


Vulnerability Management v 


Dashboard Vulnerabilities Scans Reports Remediation Assets KnowledgeBase Users 


Maps Schedules Appliances Option Profiles Authentication Search Lists Setup 


dliance a Personalization Code LAN IP WAN IP Polling Scanner y 
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4. In the Add New Virtual Scanner dialog box, click Continue in the I Have My Image 
section. Give your virtual scanner a name. As per the GCP naming conventions, you can 
use lowercase letters, numbers, and hyphens in the scanner name. 


Add New Virtual Scanner 


Name Your Virtual Scanner 


Virtual Scanner Name 4 
qualys-scanner 


Close Next 


5. Click Next to walk through the wizard. Copy the personalization code. 


Add New Virtual Scanner x 


A 


Activate Your Virtual Scanner 


Configure your scanner and activate it using the personalization code below. For more 
help, review the configuration guide for step-by-step instructions. 


Virtual Scanner Name 
qualys-scanner 


Personalization Code ERA. 


| èè gh ut ad Need help configuring your virtual scanner? 
| [See How To steps at the Qualys Community 


Enter your personalization code 


6. Keep this window open and switch to your Google Cloud Portal to launch the appliance. 
You can check for activation status in the same window after deployment. 
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Launching Virtual Scanner Appliance 
You can deploy a Qualys Virtual Scanner Appliance by either of the following ways: 
- Deploying scanner from Google Cloud Marketplace 


- Deploying Custom Image on Private Cloud Platforms 


Deploying scanner from Google Cloud Marketplace 
1. Sign in to Google Cloud Platform and navigate to Marketplace. 


2. In the Search box, type Qualys, and then from the search results, click Qualys Virtual 
Scanner Appliance. 


= Google Cloud Platform 


< Q  qualys x 
^ 
Filter by 4 results 
TYPE Qualys Cloud Agent 
APIs & services (2) dink Qualys, Inc. * APIs & services 


» k Continuously assess your security and compliance posture 
Virtual machines (2) 


CATEGORY Qualys Virtual Firewall Appliance 


Qualys, Inc. * Virtual machines 


Compute (1) Qualys. 

Protect your web applications against attacks 
Healthcare (2) 
Monitoring (1) 
Networking (2) Qualys Virtual Scanner Appliance 
Security (3) DUA Qualys, Inc. * Virtual machines 


: Continuously assess your security and compliance posture 
Security Command Cen... (1) y y ty p p 


ies Qualys Security for Cloud SCC 


Paid (2) Qualys, Inc. * APIs & services 


BYOL (2) 


Qualys. . 
Everything visible. Everything secure 


3. Click Launch. 


= Google Cloud Platform se v 


m 


Qualys Virtual Scanner Appliance 


Qualys, Inc. 
Estimated costs: $: /month + BYOL license fee 


Qualys. Continuously assess your security and compliance posture 


LAUNCH 1 PAST DEPLOYMENT 


Runs on Overview 
Google Compute Engine 


Dutanad tha ranch af tha Quinhin Claud Dintfarm ta uae Daananla Claud infenntriintirn 


4. Provide the following details for the virtual scanner appliance instance: 


Deployment name: It is advised to specify the same name that you use on the Qualys 
Cloud Platform while generating a personalization code. 


Zone: Select a zone that co-locates the scanner instance with scan target instances. For 
the scanner to reach other zones, setup connectivity with appropriate network 
configurations is needed. 
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Machine type: The default pre-set is 2 VCPU and 7.5 GB memory and can be customized. 


Note: The appliance supports a maximum of 16 cores and 16GB memory. For 
customization, choose core to memory in the ratio of 1:3.5. 


Personalization code: Provide the 14-digit personalization code generated from Qualys 
Cloud Platform. This is a one-time use code only. To register every new virtual scanner 
appliance instance, you must generate a fresh personalization code. 


Proxy URL (Optional): Add the proxy server URL to communicate with Qualys Cloud 
Platform via SSL tunneling proxy. We support both IP and FQDN for the proxy server 
configuration. Specify the proxy server URL as username:password@proxyhost:port 


Syntax for proxy URL e If you have a domain user, use this syntax: 
domain\username: password@proxyhost:port 
e If authentication is not used, use this syntax: 
proxvhost:port 


where proxyhost is the IP address or the FQDN of the 
proxy server and port is the proxy port. 


Examples * doe:abc12345810.40.1.123:3128 
e jJdoe:abcl2345@myproxy.qualys.com:3128 


Boot Disk 

Do not change the following values unless instructed by Qualys Support: 
Boot disk type: Standard Persistent Disk 

Book disk size in GB: 56 


= Google Cloud Platform se Y 


Deploy Qualys Virtual Scanner Appliance to Google Compute Engine 
2 Configure & deploy 


€ New Qualys Virtual Scanner Appliance deployment 


Deployment name © Qualys Virtual Scanner Appliance overview 
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luct, you understand that certain account and usage information 
Network interfaces e 


d with Hê kir Inc. for the purpo sales attribution, performance 


default default d )ogle is providin« inen software or service “as-is” and any support for this 
eta 


are or servic will be provided by Qualys ayi NE tc ai of sı 
You have reached the maximum number of one network interface 


More 
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5. Click Deploy and follow to the section Post-deployment Progress and Monitoring. 


Deploying Custom Image on Private Cloud Platforms 


Here you are expected to build a Qualys scanner image specific to your private cloud 
platform. Do the following: 


1. Download the qVSA image file (tar.gz) by using the SAS link provided by Qualys 
Operations. For more details, contact Qualys Support. 


2. Create a Google Storage Bucket. 

3. Upload the downloaded qVSA image file to your storage bucket. 

4. Create the Qualys Scanner Image by using the uploaded QVSA Image file (tar.gz) file. 
5. Provide the following details for the virtual scanner appliance instance custom image: 


Name: Provide a unique name to identify the Qualys Scanner appliance image. 
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Source: Select Gloud Storage File which allows you to select the Qualys Scanner image file 
stored in the Storage Bucket. In the following image, qualys-scanner is a bucket name and 
qVSA-GCE-xxxxxxx.tar,gz is the Qualys scanner image file. 


& Create an image 


Name 


Mar & 5 permanent 


qvsa-gce- 


Source 
Cloud Storage file = 


Cloud Storage file 


Your image source must use the tar.gz extension and the file inside the archive must be 


named disk.raw. Learn more 
qualys-scanner/qVSA-GCE. tar.gz Browse 


Location 
Multi-regional 


# Regional 


us-eastl (South Carolina) = 


Family 


Description 


Labels 


| ++ Add label 


Encryption 
Data is encrypted automatically. Select an encryption key management solution. 
® Google-managed key 

No configuration requirec 

Customer-managed key 

Manage via Google Cloud Key Management Service 


Customer-supplied key 


Manage outside of Google Cloud 


You will be billed for this image. Compute Engine pricing Le 


6. Generate a personalization code. (Generating a Personalization Code) 


7. Provide the following details for the Virtual Scanner Appliance instance: 


Deployment name: It is advised to specify the same name that you use on the Qualys 
Cloud Platform while generating a personalization code. 
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Zone: Select a zone that co-locates the scanner instance with scan target instances. For 
the scanner to reach other zones, setup connectivity with appropriate network 
configurations is needed. 


Machine type: The default pre-set is 2 VCPU and 7.5 GB memory and can be customized. 


Note: The appliance supports a maximum of 16 cores and 16GB memory. For 
customization, choose core to memory in the ratio of 1:3.5. 


Boot Disk 
Change the boot disk to the newly created Qualys Scanner Appliance image disk. 
Do not change the following values unless instructed by Qualys Support: 


Boot disk type: Standard Persistent Disk 
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Book disk size in GB: 56 


Name 
Name is permanent 


pcp-vscanner 


Labels 


-+ Add label 


Region Zone 
Region is permanent Zone is permanent 


us-centrall (lowa) us-central1-à 


Machine configuration 
Machine family 
Generalpurpose | Memory-optimized | Compute-optimized 
d flexibility 


Series 
NT 


Powered by Intel Skylake CPU platform or one of its predecessors 


Machine type 
n1-standard-2 (2 vCPU, 7.5 GB memory) 


vCPU Memory 


2 7.5 GB 


+ CPU platform and GPU 


Container 
Deploy a container image to this VM instance. Learn more 


Boot disk 


— h New 56 GB standard persistent disk 


Change 


Metadata (Optional) 


You can set custom metadata for an instance or project outside of the server-defined 
metadata. This is useful in passing in arbitrary values to your project or instance that can 
be queried by your code on the instance. 


PERSCODE: Provide the 14-digit personalization code generated from Qualys Cloud 
Platform. 
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See Generating a Personalization Code. 


PROXY_URL (Optional): Add the proxy server URL to communicate with Qualys Cloud 
Platform via SSL tunneling proxy. We support both IP and FQDN for the proxy server 
configuration. Specify the proxy server URL as username:password@proxyhost:port 


ProxySyntax for proxy URL eœ If you have a domain user, use this syntax: 
domain\username:password@proxyhost:port 
e If authentication is not used, use this syntax: 
proxyhost:port 
e Where proxyhost is the IP address or the FQDN of 
the proxy server and port is the proxy port. 


Examples e doe:abc12345@10.40.1.123:3128 
e jdoe:abc12345@myproxy.qualys.com:3128 


27 


Securing GCP with Qualys 
Deploying Sensors 


Metadata (Optional) 

You can set custom metadata for an instance or project outside of the server-defined 
metadata. This is useful for passing in arbitrary values to your project or instance that can 
be queried by your code on the instance. Learn more 


PERSCODE 


X 
PROXY_URL X 


+ Add item 


Availability policy 
Preemptibility 
A preemptible VM costs much less, but lasts only 24 hours. It can be terminated sooner 


due to system demands. Learn more 


Off (recommended) 


On host maintenance 
When Compute Engine performs periodic infrastructure maintenance it can migrate your 
VM instances to other hardware without downtime 


Migrate VM instance (recommended) 


Automatic restart 
Compute Engine can automatically restart VM instances if they are terminated for non- 
user-initiated reasons (maintenance event, hardware failure, software failure and so on) 


On (recommended) 


You will be billed for this instance. Compute Engine pricing L^ 


8. Click Create. 


Post-deployment Progress and Monitoring 


Deployment of the Qualys Virtual Scanner Appliance can take up to 10 minutes. Upon 
deployment, the appliance connects with the Qualys Cloud Platform to complete 
registration. The appliance also downloads the latest software and vulnerability 
signatures. 


You can monitor the progress of the instance creation in the GCE VM instances. 
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To view further progress of the appliance configuration or to diagnose any issues, look at 
the serial console output. Click 'Serial port 1 (console)' in the logs section. 


Logs 


Cloud Logging 


Serial port 1 (console) 


Serial port 2 


Serial port 3 


Serial port 4 


= Less 


Google Cloud Platform 


dur Compute Engine 


Sep 14 08:10 srcéqualys-scanner-vm 
Virtual machines ^ Sep 14 11:08:18 srcéqualys-scanner-vm kernel: bootconsole [earlyser8] enabled 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: SMBIOS version 2.4 6 0xF22D8 
B VM instances Sep 14 11:08:18 srcéqualys-scanner-vm kernel: SMBIOS 2.4 present. 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: Hypervisor detected: KVM 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: last pfn = 0x130000 max arch pfn = 0x400000 
B Instance templates Sep 14 11:08:10 srcéqualys-scanner-vm kernel: x86 PAT enabled: cpu 0, old 0x70106, new 0x7010600070106 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: init memory mapping: 0000000000000000-00000000375fe000 
n Sole-tenant nodes Sep 14 11:08:18 src@qualys-scanner-vm kernel: NX (Execute Disable) protection: active 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: RAMDISK: 37884000 - 37fef3ef 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: Allocated new RAMDISK: 00d07000 - 014723ef 
E Machine images Sep 14 11:08:10 srcéqualys-scanner-vm kernel: Move RAMDISK from 0000000037884000 - 0000000037fef3ee to 00407000 - 014723ee 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: ACPI: Deleted _OSI(Windows 2012) 
P~] TPUs Sep 14 11:08:18 src@qualys-scanner-vm kernel: ACPI: Deleted _OSI(Windows 2013) 
Sep 14 11:08:18 src@qualys-scanner-vm kernel: ACPI: RSDP 000f22a0 00014 (v00 Google) 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: ACPI: RSDT bfffffc@ 00038 (v@1 Google GOOGRSDT 00000001 GOOG 00000001) 
& Migrate for Compute Engine Sep 14 11:08:10 srcéqualys-scanner-vm kernel: ACPI: FACP bffff400 000F4 (v@2 Google GOOGFACP 00000001 GOOG 00000001) 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: ACPI: DSDT bfffdb40 @18BA (v@1 Google GOOGDSDT 00000001 GOOG 00000001) 
% Committed use discounts Sep 14 11:08:10 srcéqualys-scanner-vm kernel: ACPI: FACS bfffdb@@ 00040 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: ACPI: SRAT bffffec® 00088 (v@3 Google GOOGSRAT 00000001 GOOG 00000001) 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: ACPI: APIC bffffe20 0006E (v@5 Google GOOGAPIC 00000001 GOOG 00000001) 
Storage v Sep 14 11:08:10 srcéqualys-scanner-vm kernel: ACPI: SSDT bffff500 0091F (v01 Google GOOGSSDT 00000001 GOOG 00000001) 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: ACPI: WAET bffffe9@ 00028 (v@1 Google GOOGWAET 00000001 GOOG 00000001) 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: 3978MB HIGHMEM available. 
Instance groups ¥ Sep 14 11:08:10 src@qualys-scanner-vm kernel: 885MB LOWMEM availaStarting irgbalance: 
ble. 
VM Manager v Sep 14 11:08:10 srcéqualys-scanner-vm kernel: mapped low ram: 0 - 375fe000 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: low ram: 0 - 375fe000 
Settinas v Sep 14 11:08:10 srcéqualys-scanner-vm kernel: node 0 low ram: 00000000 - 375fe000 
g Sep 14 11:08:10 src@qualys-scanner-vm kernel: node 0 bootmap 0000b000 - 00011ec0 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: (9 early reservations) ==> bootmem [0000000000 - 00375fe000] 
Sep 14 11:08:10 src@qualys-scanner-vm kernel: $0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000] 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: #1 [0000001000 - 0000002000] EX TRAMPOLINE --> [0000001000 - 0000002000] 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: #2 [0000006000 - 0000007000] TRAMPOLINE --> [0000006000 - 0000007000] 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: #3 [0000400000 - 0000cfcOfO0] TEXT DATA BSS ==> [0000400000 - 0000cfcOfO] 
Sep 14 11:08:10 src@qualys-scanner-vm kernel: #4 [000009fc00 - 0000100000] BIOS reserved ==> [000009fc00 - 0000100000] 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: #5 [0000cfd000 - 0000d0614d] BRK ==> [0000cfd000 - 0000d0614d] 
Sep 14 11:08:18 srcéqualys-scanner-vm kernel: #6 [0000007000 - 000000b000] PGTABLE ==> [0000007000 - 000000b000] 
Sep 14 11:08:18 src@qualys-scanner-vm kernel: #7 [0000d07000 - 00014723ef] NEW RAMDISK ==> [0000d07000 - 00014723ef] 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: $8 [000000b000 - 0000012000] BOOTMAP ==> [000000b000 - 0000012000] 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: found SMP MP-table at [c0012410] f24f0 
Sep 14 11:08:10 srcéqualys-scanner-vm kernel: kvm-clock: Using msrs 4b564d@1 and 4b564d00 
H.A"... tane tod aet paras JÊ at SQ 14y 1508:10 spc6oyal yp: Sçanper gam kerng] kc clock: 


< Serial port 1 


wep ore 


11: 


ayuu 


C REFRESH 


e, msn Abec, boot shack pn atm mme NG ett m atom mal P eu LP at et P el t n amet 
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In Google Compute Engine (GCE), you can also check VM status graphs for instance 
resources such as CPU Utilization, Disk IO and Network status: 


= Google Cloud Platform se qlys-dev v Q, Search products and resources 
ist Compute Engine €  VMinstance details 4 EDIT (Ù RESET CREATE MACHINE IMAGE  RAcREATESIMILAR W sTOP Į] SUSPEND — W DELETE 
^ 
ended ^ 9 qualys-scanner-vm N 
E VM instances DETAILS MONITORING SCREENSHOT 


Instance templates ZA MONITOR VM INSTANCES RESET ZOOM lhour 6hours 12hours 1day 2days 4days 7days 14days 30 days 


Sole-tenant nodes 
CPU Utilization Explore in Monitoring ~x ri 


B 
A 
El Machine images 
m 
& 


4 : 
0.16% 
` TPUS 0.15% 
0.14% 
g Migrate for Compute Engine 0.13% 
0.12% 

11:15 0 1:25 11 5 


Committed use discounts 10:40 10:45 10:50 10:55 11 AM 11:05 11:10 
en y @ CPU: 0.14% 
Instance groups v 
Network Bytes Explore in Monitoring ~ 
VM Manager v 
AKIB/s 


Settings v JKiB/s 
2KiB/s 
1KiB/s 

44-45 n 4-25 44-3 35 x 


10:40 10:45 10:50 10:55 11 AM 11:05 11:10 5 11:20 11:25 30 11:3 


@ incoming: 1.191KiB/s @ Outgoing: 1.767B/s 


` art au dh Loans af 42-51 uy = " Apt Mae P toh BON i oh ory ar == aaa PM ae ac P^ peh Pm 2 Mete BA att ame, IP a amt m tt i gend ts „E XDlO gin Meestosing amî Tet Mte a^ 


From the Qualys Cloud Platform UI, you can check the activation status of your Qualys 
Virtual Scanner Appliance. Click Check Activation in the Add New Virtual Scanner dialog 


from where you copied the personalization code. 


Learn more about Generating a Personalization Code. 
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Add New Virtual Scanner K 


Activate Your Virtual Scanner 


Configure your scanner and activate it using the personalization code below. For 
more help, review the configuration guide for step-by-step instructions. 


Virtual Scanner Name 
gualys-scanner 


Personalization Code ERA, 
Need help configuring your virtual scanner? 
ee «fee 
"eseo See How To steps at the Qualys Community 


Enter your personalization code 


Enter your personalization code 


Check Activation 


Indicators of Scanner Appliance Statuses 


You can check the status of the virtual scanner appliance in the Qualys Cloud Platform UI. 
Go to Scans > Appliances and search for your appliance in the list. It can take several 
minutes for the Qualys user interface to get updated after you add a new appliance. 
Refresh your browser periodically to ensure that you see the most up-to-date details. 


The following table lists the various indicators and the respective appliance status that 
they denote: 


Indicator Meaning 


is The appliance is connected to Qualys Cloud Platform and is ready 
to perform scans. 


The appliance is not connected to Qualys Cloud Platform and it's 
not ready to perform scans. Check to be sure your appliance is 
properly configured and can access Qualys Cloud Platform. 
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Indicator Meaning 


co The scanner is currently busy with a scan job. See preview pane 
for available capacity. 


The scanner is not busy with any scan job. 


SO. | | 
After you see the indicator, start your internal scans. After this, you'll see the busy 
icon 1s grayed out until you launch a scan using this scanner. 


Diagnosing Common Errors in Scanner Deployment 


Check for errors in the output in the Serial Port 1 (console). 


= Google Cloud Platform se Search products and resources 


juk Compute Engine € Serial port 1 C REFRESH 


Sep 14 11:08:20 srcéqualys-scan 

Sep 14 11:08:20 srcéqu 

Sep 14 11:08:20 srcê 

E Sep 14 11:08:20 s 

B vM instances Sep 14 11:08:20 s 
Sep 8 


ner-vm tagger[3530]: read_dhcplease_paramsê3541: 
ner-vm tagger[3530]: get_default_gw_from_routingtable@3541: found default gw 10.168.0.1 for interface ethê in system routing table 
ner-vm tagger[3530]: get lan configé3541: 
: mts res init6é3541: 
ner-vm tagger[3530]: mts res inité3541: 
n err my ares socketé3541: parse hostname UDP socket 6 => 3 


Virtual machines ^ 


ep 14 11:08:20 
Error: LAN DNS se 
Sep 14 11:08:20 s 
Sep 14 11:08:20 srcéqu 


Instance templates 
: parse_hostname@3541: c-ares error [Domain name not found] (4) resolving 
: check networke3541: could not resolve datacenter host name (9,4) 
Sole-tenant nodes Sep 14 11:08:20 srcêqualys etwork_error@3541: LAN DNS servers cannot resolve the QG U 

| PlatformType-PROD Intern 

connectivity checké3541: Prod-qualysguard.p04 Scanservice 1.p84.eng.sjc8 

: check networke354]: from line 2921, tmpurl 
: read dhcplease params63541: Reading DHCP lease file /var/lib/dhclient/dhclient-eth0.leases of size 690 4 


EE EAR 


Sep 14 11:09:20 srcéqu 


Sep 14 11:09:28 srcéqualys-scanner-vm tagge 
4 TPUS Sep 14 11:99:29 src@qualys-scan vm taggerl 
~ m^ a ttm np 


B 

A 

E] Machine images Sep 14 11:09:20 srcêqu 
m 

fo Ne nm f UP eme ee 


ease params63541: found option routers m 
A pa p: a Moa s fo n LM ANE eL MU P LESSER n NP DERE 


If you find issues with the personalization code, shut down the VM, fix the Metadata 
PERSCODE value and start the VM again. If the problem persists and the appliances are 
not communicating with Qualys Cloud Platform, contact Qualys Support. Include your 
Qualys portal URL, username and attach the serial output logs to the support ticket. 


For more information about the errors and the troubleshooting tips related to Qualys 
Virtual Scanner Appliance, see Scanner Appliance Troubleshooting and FAQs. 


You can install Qualys Cloud Agents (Windows and Linux) for GCP VM Instances via 
seamless integration of Qualys Cloud Agent solution in GCP Marketplace. This integration 
is a Bring Your Own License (BYOL) where only Qualys customers can use it as it requires 
them to use Cloud Agent Customer ID and Activation ID to configure the integration. 


Deploying Qualys Cloud Agent from Google Cloud Console 


Using this solution, you can configure deployment of the Qualys Cloud Agent on specified 
compute instances on Google Cloud Platform. Using the Cloud Agent, you can activate 
multiple applications on the Qualys Cloud Platform (for example, Vulnerability 
Management, Policy Compliance, File Integrity Monitoring) as supported for each 
operating system. Additionally, you can integrate these Qualys security findings (like 
Vulnerabilities) directly into GCP by leveraging the Qualys Integration with Google Cloud 
Security Command Center, which pushes these findings in Google Security Command 
Gener 
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Prerequisites For Deploying Cloud Agent From Google Cloud Console 


You must have an active Qualys subscription. To buy a subscription, contact Support or 
Sign up from the Qualys website. 


Ensure that you have the Cloud Agent module available and enabled in your subscription. 
The appropriate Customer ID and Activation ID are required to configure the installation. 


Application modules such as Vulnerability Management, Policy Compliance, File Integrity 
Monitoring, among others, must be available and enabled. 


Enable the following APls from the Google Cloud Platform: 
Cloud OS Conf API 
Compute Engine API 


And then, install the OS Configuration agent on your virtual machine. To know more, 
check the documentation for Deploying Security Software Agents from Google Cloud 
Marketplace and Enabling an API. You can enable the OS Config and Compute APIs also by 
using gcloud commands through Google Cloud SDK shell. 


Enable the OSConfig Agent in your project metadata. To enable this, use either of the 
folowing gcloud commands: 


144 


gcloud compute project-info add-metadata --metadata-enable-osconfig-true" 


"gcloud compute project-info add-metadata --metadata=enable-osconfig=true,enable-os- 
inuentory-true,enable-guest-attributes-true,os-package-enabled-true,enable-os-config- 
debug=true,os-debug-enabled=true . 


You can enable the OSConfig Agent also by using Google cloud console: Compute Engine 
Metadata through GCP console. Setting metadata values enables OS inventory 
management, OS patch management and OS Configuration management, which is a pre- 
requisite for this solution as this integration works on Google's OS configuration 
management feature. 


Ensure that you have the following IAM permissions. If you don t, create a custom role 
including the following permissions. To know more, see Creating and managing custom 
roles. 


- osconfig.guestPolicies.create 
- osconfig.guestPolicies.delete 
- osconfig.guestPolicies.get 

- osconfig.guestPolicies.list 

- storage.buckets.create 

- storage.buckets.get 

- storage.objects.create 


- storage.objects.delete 
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Make sure that all the VM instances that you include in the deployment process have 
outbound connectivity to reach Qualys Cloud Platform. Check out the GCP support page 
to learn more. 


Getting Started with the Deployment 


To start with, subscribe and configure Qualys Cloud Agent solution available on the GCP 
Marketplace to quickly deploy and install agents on multiple Google VM Instances with no 
software to maintain. 


The configuration workflow follows a two-step process: 


1. Retrieving Customer ID, Activation ID and Platform Information from Qualys 
Subscription 


2. Configuring Qualys Cloud Agent solution on GCP Console 


Retrieving Customer ID, Activation ID and Platform Information from 
Qualys Subscription 


The Qualys Customer ID, Activation Id, and platform information are the required fields 
for configuring a Qualys Cloud Agent solution available on Google Cloud Console. 


Follow the steps to retrieve Qualys Customer ID and Activation ID: 


1. Log in to your Qualys subscription. Navigate to "Cloud Agent" application module from 
the module picker in the left, and then click the Activation Keys tab. 


Q Qualys. 
Cloud Agent v E Help w Varun Patki w Log out 
Dashboard Agent Management 
æ Agent Management | Agents | Activation Keys Configuration Profiles 
EE) 
Saved Searches r v Agents 
Search... o Search 0 
Install New Agent w 
L] Agent Host os Version Last Activity v Last Checked In Configuration Agent Modules Tags X 


Ready to install cloud agents? 


You'll need an activation key to get started. 


I already have keys 


Powered by © Qualys. About | Terms of Use | Support 
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2. Click New Key and generate an activation key. Specify a unique name to identify the key 
(for example, GCP Cloud Agent) and select Vulnerability Management and/or other cloud- 


agent-supported modules depending on your licenses. 


New Activation Key 
Create a new activation key 


allows you to add any number of agents at any time. 


Title GCP Cloud Agent 


(no tags selected) 


Provision Key for these applications 


Global Asset View 
GAV Activations managed by GAV 
Vulnerability Management 
n VM ty g 

9997 Activations Remaining 
Endpoint Detection and Response 
2 Activations Remaining 


n 


Secure Config Assessment 


0 SCA 9999 Activations Remaining 


Select the Network 


Global Default Network M 


Û Set limits 


Close 


Turn help tips: On | Off 


Select | Create 


Patch Management 
0 Activations Remaining 


Policy Compliance 


97 Activations Remaining 


File Integrity Monitoring 


FIM 99999999 Activations Ren 


Unlimited Key | Generate | 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default this key is unlimited - it 


x 


We recommend that you create a Tag for GCP key and use that tag to be dynamically 
associated with the assets identified via the key. 


You will get an acknowledgment as New activation key generated successfully with the 


Activation Key. 


New Activation Key 


New activation key generated successfully 


Give your key a name and add tags to easily find agents installed using this key. We'll associate the tags to the agent hosts. 


Activation Key 
Key Type 
Installation Requirements 


WH Windows 


BS (exe) x86-32/64 


Linux 
à (.rpm) uid 


A Linux ARM64 
(.rpm) 


Linux 
(9 (.deb) si 
Linux 
(9 (.deb) SMS 
Close . 


Turn help tips: On 


Unlimited key 


Microsoft Windows Client 
Microsoft Windows Server 


Install instructions 


Red Hat Enterprise Linux 


CentOS 
Fedora r r rmn 
OpenSUSE Install instructions 


SUSE Enterprise Linux 
Amazon Linux 
Oracle Enterprise Linux 


Red Hat Enterprise Linux 


CentOS Install instructions 
Amazon Linux 


Debian 

Ubuntu Install instructions 
Debian - ; 
Ubuntu Install instructions 
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3. Currently, this integrated deployment supports only Windows and Linux agents . In the 
Installation Requirements section, click Install Instructions within Windows or Linux to 
retrieve your Customer ID and the Activation ID. 


m | _ Ê Ê“ ê 9Ã __  ZZEE 
| New Activation Key Turn help tips: On| Off — X 


You are ready to install the agent. 


Windows Installation Requirements 
e Click here for the list of supported operation system versions. 
e To install the agent you must have local administrator privileges on your host. 
e Your host must be able to reach the Qualys Cloud Platform or the Qualys Private Cloud Platform over HTTPS port 443. 
e Do you have a proxy? Learn more 
Steps to Install the Windows Agent 


Download the agent installer (file size 15.4 MB) 
File will be saved to your downloads area, as defined by your local system. 


Copy QualysCloudAgent.exe to the host you want to monitor and run command, or use group policy or a systems management tool. 
Click here to troubleshoot. 


opy and paste this command for installation: 


D ActivationId- LUH IH 


QualysCloudAgent.exe CustomerId={ —— | 
kı & € 


<j} 


Ce ) CES 
er | 


Configuring Qualys Cloud Agent solution on GCP Console 


The Qualys-GCP integration leverages telemetry from the Qualys cloud agent and security 
findings from other Qualys apps including Vulnerability Management, Policy Compliance, 
FIM, IOC, Patch Management and Global Asset IT Inventory. To configure the Qualys Cloud 
Agent solution available in the GCP Marketplace, follow the process as mentioned below. 
Ensure you have completed the Prerequisites For Deploying Cloud Agent From Google 
Cloud Console before proceeding with the following process. 


1. Go to GCP Marketplace and search for Qualys. 


= Google Cloud Platform se 


ê Home 


1 *  Pinsappearhere @ 


Y Marketplace 


EE Billing 

RPI APIs & Services » 
T Support > 
© IAM & Admin > 


@ Getting started 

4, | Security > 
dn. Anthos > 
COMPUTE 

Q- App Engine > 
f) Compute Engine > 
@)_ Kubernetes Engi... > 
(^) Cloud Functions 

)» Cloud Run 


S VMware Engine 


arl a an ^ ^ f^ 
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2. Click Qualys Cloud Agent. Another sign-up page is displayed. 


Google Cloud Platform se Q Search products and resources 
<- Q qualys x 
Marketplace 
"qualys" 
Filter by 4 results 
Ua Qualys Cloud Agent 
APIs & services (2) Qualys, Inc. * APIs & services 


Continuously assess your security and compliance posture 


Virtual machines (2) 


SHES SiN Qualys Virtual Firewall Appliance 
Compute (1) ê Qualys, Inc. * Virtual machines 

Protect your web applications against attacks 
Healthcare (2) 
Monitoring (1) 
Networking (2) 9 Qualys Virtual Scanner Appliance 
Security (3) Gah Qualys, Inc. + Virtual machines 


Security Command Cen... (1) Continuously assess your security and compliance posture 


PRICE Qualys Security for Cloud SCC 
Paid (2) AA Qualys, Inc. * APIs & services 
BYOL (2) Everything visible. Everything secure. 


3. Click VISIT QUALYS, INC. SITE TO SIGN UP. 


= Google Cloud Platform & - 


Qualys Cloud Agent 


(9 Qualys, Inc. 


Continuously assess your security and compliance posture 
Qualys. 


VISIT QUALYS, INC. SITE TO SIGN UP [2 


Runs on Overview 

Qualys, Inc. Cloud Servers 

This solution provides for native integration of the Qualys Cloud Agent into virtual machine instances launched 
within the Google Cloud Platform. Using the Qualys Cloud Agent, customers can activate multiple applications on 
the Qualys Cloud Platform serving their use cases, workflows around vulnerability management, policy compliance 
and many more. Customers will need to provide their Qualys subscription information in order to set up this 
Category integration. 

Security 


Type 
APIs & services 
Billed by partner 


Additionally, customers can set up integration of Qualys applications (e.g Vulnerability Management findings) into 
Google Cloud Security Command Center and have a single view of threats, risks, and insights for their GCP 
projects. 

Please click on 'Learn more' to know about Deploying Qualys Cloud Agent from Google Cloud Console. 


Learn more [7 


About Qualys, Inc. 
The leading provider of information security and compliance solutions for cloud 


Learn more 
About the provider L7 


About managed services - billed by partner 


4. If you have already enabled Cloud OS Config API, you are redirected to the main 
configuration page. 
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5. If you haven't enabled the OS Config API, you are redirected to the Cloud OS Config API 
library page on the GCP console. To enable the OS Config API, click ‘ENABLE.’ Also, make 
sure, you install the OS Configuration Agent as mentioned in the prerequisites. 


= Google Cloud Platform se v 


€ ` 
4 

f 

4 

OS Config API 1 

Google 5 

i 
OS management tools that can be used for patch management, patch f 

compliance, and configuration... ( 

Ã 

êً 

TRY THIS API Z 4 

< 

4 

1 

x 
$ 

OVERVIEW PRICING DOCUMENTATION § 

¬ 

€ 

1 

4 

Overview $ 
OS management tools that can be used for patch management, patch Additional details t1 
compliance, and configuration management on VM instances. J 
Type: APIs & services 1 

About Google Last updated: 9/28/20 4 
:ٌ i 

Google's mission is to organize the world's information and make it Conon AN E 
universally accessible and useful. Through products and platforms like Service name: osconfig.googleapis.com + 
Search, Maps, Gmail, Android, Google Play, Chrome and YouTube, Google 3 
plays a meaningful role in the daily lives of billions of people. B 
n enn P mem Bt, et P pta Pam a ann P ^5 a e eam Ane aet Ph A inem aen Pm aan A a Da a 4 


You are redirected to the main Qualys Cloud Agent configuration page. 


= Google Cloud Platform se Q Search products and resources v 
4, Security € Qualys Cloud Agent 
li! Security Command Center A 
; ü Customer Information 
@ reCAPTCHA Enterprise 
Guest Policy ID * 
Q Threat Detection The Guest Policy ID will be used to uniquely identify a specific policy. 
€ Context-Aware Access 
Customer ID * 
8E Identity-Aware Proxy 
€ Access Context Manager Activation ID * 
&® VPC Service Controls 
Select Qualys Platform * v 
B Binary Authorization The Qualys Platform to which data should be reported 
o Data Loss Prevention 
@ Cryptographic Keys VM Assignment 
9 Conca ADAE] Sat This guest policy ensures the agent is installed on any new or existing VM instances that 
kalak aa oriy Servos match the assignment. If the assignment is empty, it applies to all instances. Otherwise, 
the targeted instances must meet ALL constraints specified. 
E] Secret Manager 
sa. Access Approval ADD A VM LABEL 
@ Web Security Scanner 
ADD A VM INSTANCE NAME PREFIX 
“> Managed Microsoft AD 
Storage Bucket Details 
As part of the deployment, the installation packages will be copied to a new Cloud 
Storage bucket owned by this project. If a bucket for this project and the selected region 
already exists, it will be reused. 
< 


6. Specify an appropriate name as Guest Policy ID. For example, qualys-demo. Guest 
policy ID is used to uniquely identify a specific policy. 


Note: Guest Policy ID must contain only lowercase letters, numbers and dashes. 


Guest policies are created automatically. 
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7. Enter the Customer ID and the Activation ID retrieved from the Qualys portal. 


8. From the Select Qualys Platform list, select the desired platform to which the data must 
be reported. Click What's your Qualys Platform? to verify your Qualys platform. 


9. Select VM Assignment. By selecting this, the guest policy gets updated and ensures that 
the agent is installed on any new or existing VM instances that match the assignment. If 
no assignments are added, it applies to all instances. Here, you can add a label for VM 
instances or a VM Instance name prefix. To add a VM label, click ADD AVM LABEL and to 
add a VM Instance name prefix, click ADD A VM INSTANCE NAME PREFIX. After the 
assignment is configured, the guest policy ensures that Qualys cloud agent is installed on 
all those VM instances with specified labels or name prefix. 


10. Select the region for the Cloud storage bucket in the Storage Bucket Details section 
and click DEPLOY. This deploys the Qualys cloud agent on the VM instances that match 
the VM assignment. A cloud storage bucket is automatically created in your project. This 
bucket is created to reduce the load on original source of installers. The storage buckets 
that are created as a part of this configuration, are synced with the orginal source of 
installers. The installers are copied automatically into this storage bucket from original 
source so that they are available to all the VM instances within the project. Only one 
storage bucket is created in the specified region (the regional parameter is a legal 
requirement to satisfy regulations on data localization) and can be reused to launch 
subsequent deployments. 


Storage Bucket Details 


As part of the deployment, the installation packages will be copied to a new Cloud 
Storage bucket owned by this project. If a bucket for this project and the selected region 
already exists, it will be reused. 


Learn more about bucket regions [4 


Select region for the Cloud Storage bucket * 
us ¥ 


The created Cloud Storage bucket will have a name of the form: security-agents-us-* 


This completes the Qualys Cloud Agent deployment and configuration procedure. 


39 


Securing GCP with Gualys 
Scanning Assets 


Scanning Assets 


This section helps you understand the steps to scan your network. Before you initlate your 
scan, you must ensure the following check points or configurations in your setup: 


GCP Scan Checklist 


We recommend these steps before scanning. 
- Check Appliance Status 


- Configure OS Authentication 


Check Appliance Status 


Qualys VMDR or Policy Compliance subscription, go to Scans > Appliances - Be sure the 
new Scanner Appliance is connected to the Qualys Cloud Platform. The WÉ icon means 
your appliance is connected and ready for scanning. 


Tips and Best Practices 


Has Qualys Defined Networks? Move your Virtual Scanner Appliance 
This step is recommended if you've defined custom networks in your Qualys account. 


By default, a new Virtual Scanner Appliance is placed in the Global Default Network and 
when a scan is performed, host scan data is added to that network. We recommend you 
move this Virtual Appliance to the desired network before scanning a custom network. 


Go to Assets > Networks, edit the network you want to move the Virtual Appliance to, 
and add the appliance to that network. 


Configure OS Authentication 


Using host OS authentication (trusted scanning) allows our service to log in to each target 
system during scanning. Running authenticated scans gives you the most accurate results 
with fewer false positives. In your Qualys VMDR subscription, go to Scans > Option 
Profiles. Edit the Initial Options profile, click Save As to save a copy with another name. 
In your new profile, on the Scan tab, enable the authentication types that you need. 
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Authentication 


Authentication enables the scanner to log into hosts at scan time to extend detection capabilities. See the online help to learn 
how to configure this option. 


Windows 

Unix/Cisco 
Oracle 

- Oracle Listener 

[| SNMP 

|] VMware 


| |082 

| |urre 

|_| MySQL 

LI Tomcat Server 

LI MongoDB 
Palo Alto Metworks Firewall 
Oracle WebLogic Server 
Jboss Server 


LI Sybase 


In VMDR, go to Scans » Authentication. Add OS authentication records for the GCP 
instances that you'll be scanning - Unix and/or Windows. In the record, add credentials for 
the account to be used for authentication - this is an account for OS user (not the AIM 
user). We recommend you create a dedicated account for authentication on target 
systems. 


VMDR w 


Dashboard Vulnerabilities Prioritization Scans Reports Remediation Assets KnowledgeBase 


“= Scans Scans Maps Schedules Appliances Option Profiles Authentication Search Lists 


E 
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+ 

7 4 
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4 
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The following are the sample UNIX and Windows records for your reference: 


Sample UNIX Record 


1. In the New Unix Record wizard, on the Record Title screen, give a name to your record 
and select the network. 


2. On the Login Credentials screen, provide the username, select Skip Password, and 
select the target type. 


U As https://qualysguard.p04.eng.sjc01.qualys.com/fo/scan/auth_record/unix/?acl | 6796 ) *** = 


New Unix Record Turn help tips: On | Off Launch Help 
Record Title Authentication 
Login Credentials 5 Provide login credentials to use for authenticated scanning. You have the option to get the login password from a vault available in your 
account. 
Private Keys / Certificates Username*: gcp-user 
Root Delegation Get password from vault 
Policy Compliance Ports Skip Password 
Password: 
Assets 
Comments 
Confirm Password”: 
Target Type*: Auto (default) v 


3. On the Private Keys/ Certificates screen, click Add Private Key/Certificate and then in 
the Private Key / Certificate dialog box, select the key type (RSA, DSA, ECDSA, ED25519) 
and enter your private key content. 


Private Key / Certificate 


Set private key / certificate for your Unix record 


Get private key from vault 
Private Key Type: RSA w 


Frivate Key Content: 


ia che zin zin xin oie oie zin zin zin zin zir *Priyate Key Installed LLL zin oe of zin xin zin ofc oft ie xin xin ofc he he 


Close 
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4. On the Assets screen, enter the Unix IP addresses or ranges of your GCP virtual 
machines for this record. Credentials in this record are used to scan these assets. 


New Unix Record Turn help tips: On | Off Launch Help | 
Record Title Assets 

Login Credentials bika the asset type for creating authentication record. 

Private Keys / Certificates ana TE (e) IPs/Ranges O IP Range in Tag Rule $ Asset Tags 


Select IP addresses/ranges to include in this record 


Root Delegation Enter or Select IPs/Rarıges: Select IPs/Ranges | Select Asset Group | Remove | Clear 


Policy Compliance Ports 10.97.15.117 


Comments 


[_] Display each IP/Range on new line 


See 


Sample Windows Record 


1. In the New Windows Record wizard, on the Record Title screen, give a name to your 
record and select the network. 
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2. On the Login Credentials screen, enter the username and password. 


New Windows Record Launch Help 


Record Title Login Credentials 
Login Credentials > Windows Authentication 
Assets @) Local 
Comments O Domain 
Login 
Use the basic login credential or choose to use authentication vault for authenticated scanning. 
@) Basic authentication Gy Authentication Vault 
User Name: * admin 


Password: +......... 


Confirm Password: +......... 


Choose Authentication Protocols 
We'll attempt authentication to target hosts using the authentication protocols you select below, in the order listed. 


NTLMv2 
[| NTLMv1 


SMB 
E SMB signing required 


Minimum SMB version: Select Vv 


Cancel Save 


3. On the Assets screen, enter the Windows IP addresses or ranges of your GCP virtual 
machines for this record. Credentials in this record are used to scan these assets. 


Learn more about OS authentication 


Online help within the authentication record workflows provides detailed instructions and 
guidance on all available options. These documents are good resources. 


Qualys Windows Authentication Guide (pdf) 
Qualys Unix Authentication Guide (pdf) 


Internal Scanning using Virtual Scanning Appliance 


Scanning with virtual scanner appliance involves the following sequence of steps: 


1. Based on your requirements, create a dynamic tag with Cloud Asset Search filters under 
the Qualys AssetView module. 


For example: All running VM instances in your Qualys Subscription: 
gcp.compute.state:"RUNNING" 
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All running VM instances in your GCP Project: gep.compute.projectId:<your GCP Project 
ID> and gcp.compute.state:"RUNNING" 


All running VM Instances in US East 1 zone: gcp.compute.state:"RUNNING" and 
gcp.compute.zone: us-east1-b 


2. Extract IP addresses of machines returned by tags created in step 1. You can extract it by 
using Download or API Query to Host Assets. 


3. Add these IP addresses grouped as Asset Groups or individually as Host Assets under 
Assets tab in VM or VMDR. 


4. Configure OS Authentication. 


5.Now, let's start scanning. Go to VM or VMDR > Scans > Scans > New > Scan (or Schedule 
Scan). 


VMDR v 


det, a R | as 


Dashboard Vulnerabilities Prioritization Scans Reports Remediation Assets KnowledgeBase Users 


Maps Schedules Appliances Option Profiles Authentication Search Lists Setup 


| New w | | Search | | Filters w 


Scan 
[ | Title Targets 
EC2 
[ ] © | Cloud Perimeter Scan 
[] @ CertView Scan 
Cloud CertView Scan p 
Schedule Scan i 
Schedule EC2 Scan E 
Li 
Schedule CertView Scan $ 
Schedule Cloud CertView Scan < 
4 
Host b ( 
€ 
Asset Group... 4 
Option Profile... & 
+ 
Download... x 
«^ 
f 


m^, ~. ^ 
ANG ban „ÊN Pr nn „ eo n S re PA a WW Se. els pem, ee erman, J, An terr: zurna, AJ 
- zu an. A ar = 


6. Identify your scan target. Click Assets to select a combination of asset groups and IP 
addresses to scan or click Tags to select one or more asset tags to scan. 
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Launch Vulnerability Scan Turn help tips: On | Off 


General Information 


Give your scan a name, select a scan profile (a default is selected for you with recommended settings), and choose a scanner from the Scanner Appliance menu for internal scans, if visible 


Title GCP_Scan 

Option Profile: * Initial Options (default) (Demo Login) *h Select 
Processing Priority 0 - No Priority M 

Network Global Default Network v 

Scanner Appliance GCP-Scanner-US-Central v| B view 


Choose Target Hosts from 


Tell us which hosts (IP addresses) you want to scan 


@) Assets Û) Tags 
Asset Groups external facing scanning y ~ | *h Select 
IPs/Ranges 3.12.209.122,3.13.109.228,3.13.114.144,3.13.193.58 *h Select 


192.168.0.87-192.168.0.92, 192.168.0.200 
Exclude IPs/Ranges *k Select 
192.168.0.87-192.168.0.92, 192.168.0.200 


L] Temporarily add agent addresses 
Select this option to add the IP addresses of any agents in your target when those IPs are not already in your subscription. They'll be added for this scan only 


Notification 


[_] Send notification when this scan is finished 


M | 


7. Click Launch, and you're done! 


Internal Network Scanning by using Qualys Cloud Agent 


Using our revolutionary Qualys Cloud Agent platform you can deploy lightweight cloud 
agents to continuously assess your GCP infrastructure for security and compliance. 


Cloud Agent features 


- Communicates to the Qualys Cloud Platform over port 443 and supports Proxy 
configurations. 


- Deployable directly on the GCP VM instances or embed in the workload images. Works 
well for cloud burst and ephemeral instances 


- Supports scanning a range of Linux and Windows OS versions 
- Supports scanning GCP instance OS vulnerabilities 


For more information on Qualys Cloud Platform and Qualys Cloud Agent, we recommend 
the following resources: 


e Qualys Cloud Platform 
e Qualys Cloud Agent Getting Started Guide 
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Get Started 
Navigate to the Cloud Agent (CA) app and install the Cloud Agent in minutes. 


@ Qualys. Enterprise 


Cloud Agent v 


Dashboard Agent Management 


@& Agent Management Agents [Raucci GE EN T C E mre (a 


Saved Searches r 


New Activation Key Turn help tips: On | Off x 


Install New Agent Activation Jobs 
Create a new activation key 
Install New Agent to deploy An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
directly on the instance or this key is unlimited - it allows you to add any number of agents at any time 
embed into the AMIs 


Title AWSEC2AGENT 


Assign key and activate for — Select | Create 
annlications (VM PC etc)! ga gga 


External Scanning using External Scanner Appliance 


We provide the ability to scan public-facing virtual machines in your GCP cloud 
environment. You must use the standard scan workflow to scan your public-facing GCP 
VM instances. Create a tag for your GCP instances having a publicly assigned IP, specify IPs 
to be used in an standard scan workflow, select the external scanners in the scan setup 
and launch the scan. Also ensure that you those external IPs are activated in your Qualys 
subscription. 


Qualys External Scanners (Internet Remote Scanners) located at the Qualys Cloud 
Platform are used for external scanning of GCP VM instances. For subscriptions on Private 
Cloud Platforms, your account may be configured to allow internal scanners to be used. 


Get Started 


You can run an external scan immediately or All cloud perimeter scans are scheduled - 
either for "now" (a one-time scan job) or "recurring". After saved, you see the scan job on 
the Schedules list. When the scan job starts, 1t appears on your Scans list. 


1. Based on your requirements, create a dynamic tag with Cloud Asset Search filters under 
"AssetView" app. 


For example, 


All running public VM instances in your Qualys Subscription: not 
gcp.compute.publicIpAddress is null and gcp.compute.state:;" RUNNING" 


All running public VM instances in your GCP Project: not gcp.compute.publicIpAddress is 
null and gcp.compute.projectId: and gcp.compute.state:" RUNNING" 


All running public VM instances in a zone: not gcp.compute.publicIpAddress is null and 
gcp.compute.state:"RUNNING" and gcp.compute.zone:westus 
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2. Extract IP addresses of machines returned by tags created in step 1.You can extract it by 
using Download or API Query to Host Assets. 


3. Add these IP addresses grouped as Asset Groups or individually as host assets under the 
Assets tab in VM or VMDR. 


4. Configure OS Authentication. 


5. Now, let's start scanning. Go to VM or VMDR > Scans > Scans > New > Scan (or 
Schedule Scan). 


| VMDR v 


X 
Dashboard Vulnerabilities Prioritization Scans Reports Remediation Assets KnowledgeBase Users 4 


Maps Schedules Appliances Option Profiles Authentication Search Lists Setup 


Schedule Scan 
Schedule EC2 Scan 


Asset Group.. 


6. In the Launch Vulnerability Scan window, provide the required details like scan title, 
option profile, and network, among others. Select the External scanner appliance type 
from the dropdown list. 


7. Identify your scan targets. You can either add the exported list of IPs to an asset group 
or directly list the IP addresses to scan. 


8. Click Launch and you re done! 


Note that when you choose Now, your scan may not start immediately. We'll check for 
new scan requests every few minutes. If a scanner is available and you haven t reached 
your concurrent scan limit then we'll launch the scan. If scanners are not available or you 
have reached your limit then the scan will be launched at the next opportunity. 


For more details on vulnerability scans, see Scan for Vulnerabilities. 


Cloud Inventory and Security Assessment 


This section describes the discovery of cloud inventory such as cloud assets and resources. 
It also describes the security assessment giving full visibility into the public cloud security 
posture of all assets and resources. 


Cloud Inventory 


Qualys Cloud Inventory continuously discovers and tracks assets and resources such as 
VM Instances, Networks, Firewall Rules, Subnetworks, and Cloud Function across all 
regions and multiple projects in Google Cloud Platform and gives you an "at-a-glance" 
comprehensive picture of your cloud inventory and the location of assets across global 
regions. You can view all this information in one central place. 
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Features 


- Provides a quick overview of inventory via pre-built dashboards, and lets you personalize 
or build your own dashboard with custom widgets. 


- Collects rich metadata for every resource and shows associations across resources, so 
you can understand scenarios such as which firewall rules are potentially public and 
unprotected, and which related assets this is impacting. 


© Qualys. Enterprise 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION 2 e M 


Google Cloud Platf.. List view 


PROJECT ID 
gcp-qualys-dem 
VM Instances 


RESOURCE TYPE © 
VM Instance: 


REGIONS 
us-east 


Cloud Security Assessment 


Qualys Cloud Security Assessment gives full visibility into the compliance posture of your 
cloud infrastructure against regional, industry, and government mandates by using 
reports and dashboards. 


Refer to the CloudView User Guide for more details. 
Features: 
- Provides a quick overview of inventory and security posture via dashboards 


- Lets you personalize or build your own with custom widgets based on queries or on other 
criteria, such as "Top 10 accounts based on failures" and "Top 10 controls that are failing" 


- Out-of-box GCP policies like CIS Google Cloud Platform Foundation Benchmark and GCP 
Best Practices Policy 


- Continuously assess and report on resource mis-configurations by checking against the 
controls from out-of-box policies 


- Build your own policies and customize controls to suit your need 


- Ability to view, filter, and export misconfigurations 
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[ 
| © Qualys. Enterprise 
CloudView + DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION 20i 
Google Cloud Platf... 
Q 4. TOTAL EVALUATIONS FAILURES BY CRITICALITY REMEDIABLE 
200 
Total Controls Evaluated ES i 53 
150 
0 baa | 
Hon MEDAM UW Failed Evaluations 
A 
POLICY 1-94 0f 94 3 3 
CIS Google Cloud. — 51 
OCPKubemetes.. 22 ci CONTROL NAME CRITICALITY SERVICE SECURITY POSTURE 
ee > 52000 Ensure that corporate login credentials are used instead of Gmail accounts (menun | IAM & Admin 2 A 
Practic Policy : CIS Google Cloud Platform Foundation Benchmark Zu 
GCP Cloud Funeti.. 2 Total Resources: 2 E 
9 Ymore 52001 Ensure that there are only GCP-managed service account keys for each service account EE IAM & Admin 4 43 
Policy : CIS Google Cloud Platform Foundation Benchmark Total Resources: 47 
CONTROL RESULT r 
FAIL 68 
26 52002 Ensure that ServiceAccount has no Admin privileges EE IAM & Admin 1 1 
ee 
Policy : CIS Google Cloud Platform Foundation Benchmark Total Resources: 2 
PROJECT ID 52003 Ensure that IAM users are not assigned Service Account User role at project level EE IAM & Admin 1 1 
MM zee 
gcp-qualys-demo 94 Policy : CIS Google Cloud Platform Foundation Benchmark i Naah 
testmikeshproject 23 
52004 Ensure user-managed/external keys for service accounts are rotated every 90 days or less EZE IAM & Admin 5 42 
O b 
SERVICES Policy : CIS Google Cloud Platform Foundation Benchmark Total Resources 47 
SQL 25 
Ê m 52005 Ensure KMS encryption keys are rotated within a period of 90 days EZE IAM & Admin 1 
Policy : CIS Google Cloud Platform Foundation Benchmark Foul Wanaita $ 
Compute Engine 10 
——_ - 52006 Ensure that Separation of duties is enforced while assigning KMS related roles | taon | IAM & Admin 2 
Logging T Policy : CIS Google Cloud Platform Foundation Benchmark Tatai Resauroas: 2 
*" 4 more v v 
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Securing Web Applications 


You can secure your applications by using the Qualys Web Application Scanning and Web 
Application Firewall solutions. 


© Qualys. Enterprise 


Modules wv 


APPLICATION SECURITY (3) 


Web Application Scanning 
WAS Identify and manage web application security risks. 


Web Application Firewall 
WAF Detect attacks and protect your web applications 


Qualys WAS 


Qualys Web Application Scanning (WAS) provides automated crawling and testing of 
custom web applications to identify application and REST API vulnerabilities including 
cross-site scripting (XSS) and SQL injection. To get started, install the Qualys Virtual 
Scanner Appliance. This is the same appliance used to scan for vulnerabilities and 
compliance checks. 


How do i get started? 


- Follow the steps in You can scan your Google Cloud Compute Engine instances along 
with all other global elastic cloud and on-premise assets from within the Qualys Cloud 
Platform. Qualys Virtual Scanner Appliance can be directly deployed from the Google 
Marketplace. 


- Then review instructions in Qualys Web Application Scanning Getting Started Guide. 
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Qualys WAF 


Protect applications with firewall rules and instant virtual patches by using Qualys Web 
Application Firewall (WAF). 


How do i get started? 
-Install the Web Application Firewall Appliance available on the GCP. 


- Then review instructions in Qualys Web Application Firewall Getting Started Guide. 


Securing Containers 


Qualys Container Security provides discovery, tracking and continuously protection to 
container environments. This addresses vulnerability management for images and 
containers in their DevOps pipeline and deployments across cloud and on-premise 
environments. Qualys Container Security supports: 


- Discovery, inventory and near-real-time tracking of container environments 
- Vulnerability analysis for images and containers 
- Vulnerability analysis for registries 


- Integration with CI/CD pipeline using Jenkins/Bamboo Plugins or REST APIs (DevOps 
flow) 


- Support for GKE deployments 
- Support for Google Container Registry (GCR) and Google Artifactory Registries 
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Scanning Assets 
@ Qualys. : 
Container Security HOME DASHBOARD ASSETS CONFIGURATIONS £ o el 


Container Security Overview w 


Last 30 Days * 


TOTAL IMAGES TOTAL CONTAINERS 


328 604 


IMAGE DISTRIBUTION BY VULNERABILITY SEVERITY CONTAINER DISTRIBUTION BY VULNERABILITY SEVERITY 


Hl: i 
IMAGE DISTRIBUTION BY REGISTRY CONTAINER DISTRIBUTION BY STATE 


|| 
dil 
e 


= 
En 
cn 


For more details, refer to the Qualys Container Security User Guide. 
Deploying Container Sensor 


The sensor from Qualys is designed for native support of Docker environments. Sensor is 
packaged and delivered as a Docker Image. Download the image and deploy it as a 
Container alongside with other application containers on the host. Since they are docker 
based, the sensor can be deployed into orchestration tool environments such as 
Kubernetes, Mesos or Docker Swarm just like any other application container. 


For more details, refer to the Qualys Container Security Deployment Guide. 
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Analysis, Reporting and Remediation 


This section covers - how to query assets, build widgets and dashboards, and then how to 
generate vulnerability reports on GCP assets. 


Using Qualys Search Tokens 


Our advanced search capabilities help you quickly find your asset data all in one place. In 
your Qualys subscription, in the module picker, choose the Qualys AssetView app and go 
to the Assets tab. This is where you see an inventory of all your scanned assets. Say you 
want to find all your GCP assets. Type provider and select GCP from the drop-down menu. 


| AssetView v Help w Iv Log out | 


Dashboard Assets Templates Connectors 


—_— - 
| s= AssetView Assets Tags Rules 
| Saved Searches r Y Assets 
| 
provider e Search 5. 1 OK 
| AWS 
Syntax Help View all Tokens Ww 
GCP provider 
| Azure Select the name ##### of a cloud service provider you're looking for. Select from names in the Sources Tags 
drop-down menu. 
| 
oc Examples [ New_Ec2 
Show assets synced from Amazon AWS 
Cloud Agent 
provider: "AWS" 
3 more tags 
Laa Ss Aae N aa ee ee Lina a _ eee Daans Lain n. —LEC2-ASB.I 


You can search many GCP asset properties. Start typing gcp and you see a list of GCP asset 
properties (tokens) that you can use to search. Hover over the token name and see the 
syntax help to the right. 


AssetView v Help w = Log out 


Dashboard Assets Templates Connectors 


| := Assetview Assets Tags Rules 


Saved Searches ~ - Assets 


ocd @ | search — 5.10K 


RIS compute.hostname 


v 


Syntax Help 
RIS compute. instanceld gcp.compute.hostname 


RIS: compute. macAddress Use a text value ##### to define the hostname you're looking for Sources Tags 


Examples 

fe $.compute.machineType , 

a : Find GCP instances related to name { NEW_EC2 
m compute-network gcp.compute.hostname: instance-5.c.qvsa-dev.internal Cloud Agent 
RIS$.compute.privatelpAddress Find GCP instances that match exact value 3 more tags 
lacpl compute. projectid gcp.compute.hostname: ~instance-5.c.qvsa-dev.internal 

m Dnne nny ar a —M———DQÓÀ KNA KAKA ara " EC? Aso I 


Viewing Asset Details 


The latest vulnerability and compliance data is always available in your assets inventory. 
Just select the asset and choose View Asset Details from the guick actions menu. 


AssetView v Help w = Log out 


Dashboard Assets Templates Connectors 


*ZZ AssetView Assets Tags Rules 


Saved Searches rv Y Assets 


gcp o Search 5.1 OK 


NISA compute.hostname 


Syntax Help View all Toker > 

NISA. compute.instanceld gcp.compute.hostname | 

NISA compute.macAddress Use a text value ##### to define the hostname you're looking for. Sources Tags 

Woo yi Pape instances related to name [ NEW EC2 

MEE compute. network gcp.compute.hostname: instance-5.c.qvsa-dev.internal Cloud Agent 

RIS: compute.privatelpAddress Find GCP instances that match exact value 3 more tags 

FS: .compute.projectld gcp.compute.hostname:  instance-5.c.qvsa-dev.internal 

| 

SS SSS ae EDETÊ —— m_.m._ aa NEK E ie EC2 aso 1 | 
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Saving Search Query 


Easily save your searches for reuse and share them with other users. 


Create a new search x 


] Saved Searches 


Saved Searches allow you to quickly navigate from one search filter to another. 


Search Title” (*) REQUIRED FIELDS 
[My GCP Assets 


M] Add this search to your favorites 


lvl Share this search with others 


Cancel 


Downloading and Exporting Results 


It Just takes a minute to export search results. Select Download from the Tools menu, 
choose an export format, and click Download - choose from multiple formats. 


| Datalist Download 
Select Download Format (*) REQUIRED FIELDS 
Select the download format, then click the Download button. Once the data is available, the 


download will begin automatically 


O E Comma-Separated Value (CSV) 
O a Extensible Markup Language (XML) 
@) Ezı Portable Document Format (PDF) 
© Ea Microsoft Word (DOC) 

O Eu] Compressed HTML pages (ZIP) 


[z | 
C) nam Web Archive (HTML) - For Internet Explorer > 7 or any modern browser 


Select the timezone to use for dates included in the report 


(GMT 05:30) India Standard Time (IST Asia/ Kolkata) iv 
cone 
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Creating Widget 


You can create a widget based on your query, and add it to your dashboard. For example, 
first search for GCP assets on which vulnerabilities were last found within past 30 days. 
Here's your query: 


provider:"GCP" and vulnerabilities.lastFound»now-30d 


Then choose Create widget. Give a title to your widget. Your query is populated for you. 
You can add this widget to your dashboard. 


Add a new widget to your dashboard x | 
Select data for your widget using the form below ©) REQUIRED FIELDS Customize the way that your widget looks 
B1 ass Ç 


Count Table Pie s | 
Widget Title” 
GCP Vul within last month 
[Ber —3] 
eyam) "GCP" and vulnerabilities. lastFound>now-30d 
Categories * ^" [] H 
m 


tags.name = pM blic Lazê open = = c 10.0.0GPPerimeter 
Sort by 


Ws 
count Extras 


Sort direction” O Show Legend M Show Labels 

Ascending V 
Limit to* Layout 

TOP 10 Y (e) Vertical Columns Q Horizontal Bars 
Filters 

Add one or more filters to narrow down your results for the selected group. 

Add filter 

Cancel Previous ) Add to Dashboard 

eae = 


Creating Reports 


You can create various reports on vulnerabilities in the Qualys VM module. Go to VM or 
VMDR > Reports > New > Scan Report > Template Based. You can choose from the default 
report templates and customize them, or create your own. Try the Technical Report to see 
full vulnerability details in your report. 


` 
@ Qualys. Cloud Platform 


VMDR v 


4 

: 

4 

Dashboard Vulnerabilities Prioritization Scans Reports Remedia? 


hili Reports Reports Schedules Templates Risk Analysis Sec 


Scorecard Report... 
Map Report... 

Patch Report... 
Authentication Report 
Remediation Report... 
Compliance Report... 
Asset Search Report... 


Download... 


` fos un E ont J FTT TL 


nh, 
^m Mure A Parna NE IP Pere Eon ae n [je c TY a IPS RENE Pom, Fw j 2 ma 


— 
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Want to report on compliance data? Choose PC from the module picker. Then go to 
Reports > New > Compliance Report, and pick the report you're interested in. 


Dynamic Tagging by Using GCP Metadata 


Create dynamic tag rules to tag your GCP virtual machine instances based on GCP 
metadata as collected by the Qualys Cloud Agent and Qualys Virtual Scanner Appliance. 
For each tag rule, you must provide a search query with GCP instance information. 


It's easy to get started! 

1) Go to AssetView > Assets > Tags > New Tag. 
2) Choose the Cloud Asset Search tag rule. 

3) Select the cloud provider. 


4) Enter your query. Start typing in the Query field and we'll show you the GCP attributes 
that you can search. 


Tag Creation Turn help tips: On| Off Launch help 96 
Step 2 of 3 Set the tag type and rules 


1 Tag details w^ Rule Engine 


Cloud Asset Search 
(2) Tag Rule v -ٌ = 
Cloud Provider* 


3 Review And Confirm GCP 


Query* 


gcp.compute.zone:westus 


Test Rule Applicability on Selected Assets 


Sample queries 
Refer to the following sample queries: 
Find GCP VM Instances located in US East 1 zone: gep.compute.zone:us-east1-b 


Find GCP instances that match exact value: gep.compute.hostname:`instance-5.c.qvsa- 
dev.internal` 


Find GCP VM instances within a specific GCP Project Id: "gcp.compute.projectId:gcp- 
qualys-demo" 


Find GCP VM instances of specific machine type: "gcp.compute.machineType:n1- 
standard-1" 


Find GCP VM instances based on IP address (comma-separated list or range): 


gcp.compute.privatelpAddress:10.128.15.234 


5/ 
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gcp.compute.publicIpAddress:335.232.131.27 


Find GCP instances based on a GCP project number: 
gcp.compute.projectNumber:525006500856 


To know what metadata is collected by Qualys Cloud Agent and Qualys Virtual Scanner 
Appliance, see GCP Metadata. 
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Organizing Assets in Qualys Subscription 


Here are some best practices and tips for organizing assets and thereby securing your GCP 
infrastructure by using Qualys applications. 


Setting up Qualys Configurations 


Asset Groups - Organize assets into meaningful groups and assign them to sub-users. 
Asset groups are required when you have multiple user roles such as Scanner, Reader and 
Unit Manager (if business units are defined). The same IP address can be included in 
multiple asset groups. 


| e Assets Asset Groups Host Assets Asset Search Virtual Hosts Domains Networks Applications > 


New w || Search | | Filters w 1-20 of 38 b tv 


iL] Title IPs Domains Appliances Business Impact User Modified ~ 


O My Asset Group 10.10.10.4-10.10.10.255 0 High Jason Kim 02/10/2017 ^ 


O Windows 2003 Server Asset Group 10.10.25.12 0 High Victor Smith 02/12/2014 


Business Units - Organize users and assets into business units in a way that matches your 
organization. This gives Managers the ability to grant users role-based permissions in the 
context of their assigned business unit. The same IP address can be included in multiple 
business units. 


r Users | Users Business Units Distribution Groups Activity Log Setup 


New w || Search 1-30f3 


wv 


|| Tte a Primary Contact Users Modified 


[_] asia Carla Ming 5 08/26/2016 


| C] Europe Eric Conrad 2 05/07/2009 


Networks - Organize discrete private IP networks to keep overlapping IP blocks separate. 
When configured, Qualys tracks IPs by network and IP address. Keep in mind... An IP 
address must be unique to your subscription or a single network. 


| (DR v 


Dashboard Vulnerabilities Prioritization Scans Reports Remediation Assets KnowledgeBase Use 


:= Assets Asset Groups Host Assets Asset Search Virtual Hosts Domains Networks 


New w Search 


Title + Created By | 


(Ma kal Mafaili Klanbasrmels /AL Dn ló Ca em dın can | 


Removing Terminated Virtual Machines- You can remove terminated virtual machines 
from your Qualys account. Go to VM/VMDR or Policy Compliance > Assets > Asset Search 
and select the assets with tracking method as IP address. You could also add more 
parameters to refine your search such as Last Scan Data not within the past <value> days 
and so on. 
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Vulnerability Management v 


Dashboard Scans 


e Assets 
DNS Hostname: 
EC2 Instance ID: 
Azure VM ID: 


NetBIOS Hostname: 


LL M M M] 


Tracking Method: 


EC2 Instance status: 


Azure VM state: 


Operating System: 


OS CPE: 


Open Ports: 


Running Services: 


QID: 


LÊ M NM M 


Last Scan Date: 


Last Scan Date (PC): 


LI KI 


Last Scan Date (SCA): C] 
Last Scan Date (SCAP):[ | 


First Found Date: mı 


Asset Groups 


Reports Remediation 


Host Assets 
beginning with |v | | 


beginning with | Y | | 


Assets 


Asset Search 


beginning with | Y | | 
beginning with |v | r 


IP address 


RUNNING 


STARTING 


beginning with 


| 


beginning with | 


KnowledgeBase 


Virtual Hosts 


not within 


| 
Iv] the past{ — ] days 


*k Select 


within M | the past 


within 


| within 


within v | the past 
v | the past | days 


v | tha nact 


| days 


| days 


| Aave 
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NA EJ Help w | Sadanand Nerurkar (quays2mg89) w Logout 

Users 

Domains Networks Applications Ports/Services 
A 
| 

| [B View 

| *k Select 

v 
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Click Search and then select the assets from the results. From the Actions drop-down, 
select Purge. This results in removal of assets along with their associated data from the 
module. 


Asset Search Report | 


File Help 
Actions: | Edit 
Edit 
| Edit All 


| Add to Asset Groups 


Ass Add All to Asset Group: 
| ps 
Sadana Add to a new Asset Group =MO 03/18/20 
quays2) | CHSHIL TECH PARK 
Manage Add All to a new Asset Group | 


Remove from Asset Groups 
Remove All from Asset Groups 
Search| Launch Vulnerability Scan 

Asset c Launch Vulnerability Scan on All 
IPs/Rar Launch Compliance Scan 

Tags: | Launch Compliance Scan on All 
Schedule Vulnerability Scan 

DNS Hi Schedule Vulnerability Scan on All 
EC2!n$ Schedule Compliance Scan 

Azure W| 
HMetBlO: 
Trackin | 


Schedule Compliance Scan on All 


Launch Vulnerability Scan Report 


EE. mmo 


Uninstalling Agents 


Consider a scenario where you have deployed Qualys Cloud Agents on your GCP VM 
instances and you want to uninstall agents that haven't checked-in for the last N days, 
you can use the API call. 


Sample API Request: 


curl =u "USERNAME: PASSWORD" =X "POST" =H "Content-Type: text/xml" 
=H" Cache-Control: no-cache" --data- 
binary@uninstall agents not checkedin.xml"https://qualysapi.qualys 
.com/qps/rest/2.0/uninstall/am/asset/" 

Contents of uninstall agents not checkedin.xml: 


<?xml version="1.0" encoding="UTF-8" 2> 

<ServiceRequest> 

<filters> 

«Criteria field-"tagName" operator-"EQUALS"»Cloud Agent</Criteria> 
«Criteria field="updated" operator="LESSER">2016-08- 
ZOTOOSDOSOLIZ«/Criteria- 

</filtero> 
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</ServiceRequest> 
For more information on Cloud Agent APIs, refer to the Qualys Cloud Agent API User 
Gulde. 
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Frequently Asked Questions (FAQs) 


Queries 


Solutions 


Which organizations can 
leverage Qualys Integration 
with Google Cloud Security 
Command Center? 


Can I activate other Qualys 
modules for assets? 


Only the organizations that already have an existing Qualys 
subscription that uses a Bring Your Own (Qualys) License can use 
this integration. 


Yes, you can activate multiple applications on Qualys Cloud 
Platform including: 

- Global AssetView/CyberSecurity Asset Management 

- Vulnerability Management 

- Endpoint Detection and Response (EDR) 

- Secure Config Assessment 

- Patch Management 

- Policy Compliance 

- File Integrity Monitoring 

However, only Vulnerability Management security findings are 
available in the Security Command Center in Google Cloud, after 
you configure the Qualys Integration with Google Cloud Security 
Command Center. 


Which Operating Systems 
are supported by this 
integration? 


How are agent installer 
upgrades handled in this 
integration? 


Does this integration and 
deployment model support 
proxy or Cloud Agent 
Gateway Service? 


Does this deployment 
model support a Qualys 
PCP? 


Qualys Integration supports Windows and Linux OS. For the 
complete list of supported Windows and Linux platforms, see the 
Cloud Agent Platform Availability Matrix for Windows and Linux in 
the Cloud Agent Getting Started Guide. 


Qualys updates agent installers in the original source which is 
available to customer-specific storage buckets that are created 
during the Qualys Cloud Agent configuration. Even though 
customer-specific buckets are synced with the original source, 
Qualys needs to inform Google for any upgrades or updates in the 
original source, for Google to trigger manual sync to update 
customer storage buckets with the updated Qualys installers. 


Proxy configuration or Cloud Agent Gateway Service is not included 
as a part of this deployment model. However, proxy configuration 
can be set after the agent has been installed. 


No, this deployment model only supports utilization of the Qualys 
Cloud Shared Platform. 


For more details on this integration, see the Qualys Integration with Google Cloud 
Security Command Center: Overview section. 
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